From 5f40cc6a64897da15bccefb746aea490ab55820c Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Wed, 9 Oct 2019 16:22:12 +0100 Subject: [PATCH] [Fix] Add another safe-guard in urls processing --- src/libserver/url.c | 28 +++++++++++++++++++++++----- src/libserver/url.h | 4 ++-- src/lua/lua_url.c | 8 ++++++-- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/src/libserver/url.c b/src/libserver/url.c index 90398ad6b..39b64abd3 100644 --- a/src/libserver/url.c +++ b/src/libserver/url.c @@ -2915,8 +2915,10 @@ rspamd_url_trie_generic_callback_common (struct rspamd_multipattern *mp, } if (cb->func) { - cb->func (url, cb->start - text, (m.m_begin + m.m_len) - text, - cb->funcd); + if (!cb->func (url, cb->start - text, (m.m_begin + m.m_len) - text, + cb->funcd)) { + return FALSE; + } } } else if (rc != URI_ERRNO_OK) { @@ -2962,9 +2964,10 @@ rspamd_url_trie_generic_callback_single (struct rspamd_multipattern *mp, struct rspamd_url_mimepart_cbdata { struct rspamd_task *task; struct rspamd_mime_text_part *part; + gsize url_len; }; -static void +static gboolean rspamd_url_text_part_callback (struct rspamd_url *url, gsize start_offset, gsize end_offset, gpointer ud) { @@ -2985,6 +2988,17 @@ rspamd_url_text_part_callback (struct rspamd_url *url, gsize start_offset, ex->type = RSPAMD_EXCEPTION_URL; ex->ptr = url; + cbd->url_len += ex->len; + + if (cbd->part->utf_stripped_content && + cbd->url_len > cbd->part->utf_stripped_content->len * 10) { + /* Absurdic case, stop here now */ + msg_err_task ("part has too many URLs, we cannot process more: %z", + cbd->url_len); + + return FALSE; + } + if (url->protocol == PROTOCOL_MAILTO) { if (url->userlen > 0) { target_tbl = MESSAGE_FIELD (task, emails); @@ -3014,7 +3028,6 @@ rspamd_url_text_part_callback (struct rspamd_url *url, gsize start_offset, if (url->querylen > 0) { if (rspamd_url_find (task->task_pool, url->query, url->querylen, &url_str, RSPAMD_URL_FIND_ALL, NULL, &prefix_added)) { - query_url = rspamd_mempool_alloc0 (task->task_pool, sizeof (struct rspamd_url)); rc = rspamd_url_parse (query_url, @@ -3053,6 +3066,8 @@ rspamd_url_text_part_callback (struct rspamd_url *url, gsize start_offset, } } } + + return TRUE; } void @@ -3070,6 +3085,7 @@ rspamd_url_text_extract (rspamd_mempool_t *pool, mcbd.task = task; mcbd.part = part; + mcbd.url_len = 0; rspamd_url_find_multiple (task->task_pool, part->utf_stripped_content->data, part->utf_stripped_content->len, how, part->newlines, @@ -3139,7 +3155,7 @@ rspamd_url_find_single (rspamd_mempool_t *pool, } -void +gboolean rspamd_url_task_subject_callback (struct rspamd_url *url, gsize start_offset, gsize end_offset, gpointer ud) { @@ -3208,6 +3224,8 @@ rspamd_url_task_subject_callback (struct rspamd_url *url, gsize start_offset, } } } + + return TRUE; } guint diff --git a/src/libserver/url.h b/src/libserver/url.h index 83a2a7f17..53c4abbeb 100644 --- a/src/libserver/url.h +++ b/src/libserver/url.h @@ -167,7 +167,7 @@ const gchar *rspamd_url_strerror (int err); */ gboolean rspamd_url_find_tld (const gchar *in, gsize inlen, rspamd_ftok_t *out); -typedef void (*url_insert_function) (struct rspamd_url *url, +typedef gboolean (*url_insert_function) (struct rspamd_url *url, gsize start_offset, gsize end_offset, void *ud); /** @@ -208,7 +208,7 @@ void rspamd_url_find_single (rspamd_mempool_t *pool, * @param end_offset * @param ud */ -void rspamd_url_task_subject_callback (struct rspamd_url *url, +gboolean rspamd_url_task_subject_callback (struct rspamd_url *url, gsize start_offset, gsize end_offset, gpointer ud); diff --git a/src/lua/lua_url.c b/src/lua/lua_url.c index 8742a6027..d21ab727f 100644 --- a/src/lua/lua_url.c +++ b/src/lua/lua_url.c @@ -110,7 +110,7 @@ lua_check_url (lua_State * L, gint pos) return ud ? ((struct rspamd_lua_url *)ud) : NULL; } -static void +static gboolean lua_url_single_inserter (struct rspamd_url *url, gsize start_offset, gsize end_offset, gpointer ud) { @@ -120,6 +120,8 @@ lua_url_single_inserter (struct rspamd_url *url, gsize start_offset, lua_url = lua_newuserdata (L, sizeof (struct rspamd_lua_url)); rspamd_lua_setclass (L, "rspamd{url}", -1); lua_url->url = url; + + return TRUE; } /*** @@ -770,7 +772,7 @@ lua_url_init (lua_State *L) return 0; } -static void +static gboolean lua_url_table_inserter (struct rspamd_url *url, gsize start_offset, gsize end_offset, gpointer ud) { @@ -785,6 +787,8 @@ lua_url_table_inserter (struct rspamd_url *url, gsize start_offset, lua_pushinteger (L, n + 1); lua_pushlstring (L, url->string, url->urllen); lua_settable (L, -3); + + return TRUE; } -- 2.39.5